ACL-Allow a host to access internet and block local NW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 02:13 AM
Dear Friends
I want to allow a host (10.10.10.2) to grand access internet and block to reach local Network (10.10.20.0 & 10.20.20.0). Same time other hosts(10.10.20.0 & 10.20.20.0) in the local Network need to allow to access that host (10.10.10.2).
I have created a ACL as below
access-list 101
10 permit ip any host 10.10.10.2
20 deny ip host 10.10.10.2 10.10.0.0 0.0.255.255
30 deny ip host 10.10.10.2 10.20.0.0 0.0.255.255
40 permit ip host 10.10.10.2 any
The host able to access internet but local network are not able to reach the host.
Please advise
Thanks and Regards,
Hameed
- Labels:
-
Other Switches
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 02:33 AM
You should also required allowed list from network 10.10.20.0 & 10.20.20.0 to reach 10.10.10.2 IP address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 02:42 AM
I have added 10 permit ip any host 10.10.10.2 in the first line. So it should allow all Network to reach the host.
Am I right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 02:54 AM
Hello,
--> I want to allow a host (10.10.10.2) to grand access internet and block to reach local Network (10.10.20.0 & 10.20.20.0). Same time other hosts(10.10.20.0 & 10.20.20.0) in the local Network need to allow to access that host (10.10.10.2).
If you want to have one way access (allow traffic from host 10.10.10.2 to local networks but not vice versa) you could use the 'established' keyword:
access-list 101 permit tcp <source> <mask> <destination> <mask> established
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 03:24 AM
"If you want to have one way access (allow traffic from host 10.10.10.2 to local networks but not vice versa) you could use the 'established' keyword:"
I want allow local Network to access the host 10.10.10.2 but not vice verse.
I have added the line in the access list but its not working
access-list 101 permit tcp 10.10.20.0 0.0.255.255 host 10.10.10.2 established
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 05:54 AM
Hello,
what subnet masks are you using for your networks:
10.10.10.0/?
10.10.20.0/?
10.20.20.0/?
The access list you configured:
access-list 101 permit tcp 10.10.20.0 0.0.255.255 host 10.10.10.2 established
cannot work because you are trying to permit traffic from with the same subnet 10.10.0.0/16. You need to make sure all your networks have /24 mask and change the access list to:
access-list 101 permit tcp 10.10.20.0 0.0.0.255 host 10.10.10.2 established
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 08:10 AM
Sorry Friends I make typo
01. Host 10.10.10.2
02. Network 10.10.20.0/24
03. Network 10.10.30.0/24
04. Network 10.10.40.0/24
05. Network 10.20.20.0/24
my access-list is
access-list 101 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.2 established
I have some network in the same range so the host need to block to access other network.
But this is not working.
I duty time finished now. I will check tomorrow and update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 04:04 AM
Hi,
For the unidirectional traffic flow, there are two possible use-cases, which one fits your needs?
1. only one side can initiate the traffic (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), but in the end once the session is established (like TCP), flow is allowed both ways.
2. only one side can send traffic to the other side (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), while reverse traffic (as a response or as a flow initiation) is denied.
Based on what you need, different solutions apply.
Regards,
Cristian Matei.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 04:24 AM
2. only one side can send traffic to the other side (10.10.20.0 and 10.20.20.0 towards 10.10.10.2), while reverse traffic (as a response or as a flow initiation) is denied.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 04:35 AM - edited 03-11-2020 04:37 AM
have you tried the option suggested with established.
since traffic can initiate from other network to x.2 and x.2 can not access anything.
here is reference guide if you looking to refer :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
once upgrade the ACL and tested let us know out come.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 11:15 AM
Hi,
And apply the ACL inbound on the interface which is the default gateway for 10.10.10.2
ip access-list extended INGRESS_VLANX
deny ip host 10.10.10.2 10.10.20.0 0.0.0.255
deny ip host 10.10.10.2 10.20.20.0 0.0.0.255
permit ip any any
Regards,
Cristian Matei.
